Cap rancher-external-ip-webhook to <=1.21

[cbron]

The below was shipped in 1.21 and should fix CVE-2020-8554, which means we could cap rancher-external-ip-webhook at <=1.21. This will give users 1 full cycle to transition.

• https://github.com/kubernetes/enhancements/issues/ 2200
• https://github.com/kubernetes/kubernetes/issues/ 97110

First we need to ensure the upstream fix is a replacement for this chart.

[cmurphy]

The new admission controller blocks the use of external IPs in Service resources entirely: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips

The external-ip-webhook app enables an allowlist for certain IPs or CIDRs: https://github.com/rancher/externalip-webhook/blob/3252e5d20e5ab3cd9f1f21b5cff797ba617fce67/chart/questions.yaml#L3-L5

So the new admission controller is not a drop-in replacement for the webhook, and some users may still need the flexibility that the webhook provides on >1.21, so I do not think we should add this cap.

I can't find any documentation on using rancher-externalip-webhook in rancher.com/docs except for this blog post but if it exists we should convert it to recommend enabling the feature gate and only using the webhook if they need that flexibility.

[cmurphy]

Summary from security meeting: we'll go ahead with this cap for now and revisit supporting the webhook if it becomes apparent that users need the webhook's flexibility.

[anupama2501]

Moving to-test column as it requires k8s 1.22 in rancher for validating.

From @cmurphy to validate:

the fix in kubernetes exists in 1.21, but the issue is about preventing the chart from installing on 1.22
we still allow it to be installed on 1.21 to give users time to transition

If we try to install external-ip-webhook chart on k8s 1.22 downstream cluster , installation should not go through

[anupama2501]

Verified on v2.6-head 4375161

• Created a node driver RKE1 cluster on v1.22.3-rancher1-1
• Tried installing the external-ip-webhook app
• Installation failed with the error:

helm install --namespace=cattle-externalip-system --timeout=10m0s --values=/home/shell/helm/values-rancher-external-ip-webhook-100.0.1-up1.0.1-rc3.yaml --version=100.0.1+up1.0.1-rc3 --wait=true rancher-external-ip-webhook /home/shell/helm/rancher-external-ip-webhook-100.0.1-up1.0.1-rc3.tgz
Error: INSTALLATION FAILED: chart requires kubeVersion: < 1.22.0 which is incompatible with Kubernetes v1.22.3

Upgrade:

• Installed the rancher-external-ip-webhook on k8s v1.21.6rancher1-1 and verified the kubeVersion < 1.22.0 is set

> kubectl get apps rancher-external-ip-webhook -n cattle-externalip-system -o yaml| grep kubeVersion
            f:kubeVersion: {}
      kubeVersion: < 1.22.0

• Upgraded the k8s version to v1.22.3-rancher1-1
• Tried upgrading the webhook app and the upgrade failed:

Wed, Nov 24 2021 3:01:53 pm | helm upgrade --history-max=5 --install=true --namespace=cattle-externalip-system --timeout=10m0s --values=/home/shell/helm/values-rancher-external-ip-webhook-100.0.1-up1.0.1-rc3.yaml --version=100.0.1+up1.0.1-rc3 --wait=true rancher-external-ip-webhook /home/shell/helm/rancher-external-ip-webhook-100.0.1-up1.0.1-rc3.tgz
Wed, Nov 24 2021 3:01:53 pm | Error: UPGRADE FAILED: chart requires kubeVersion: < 1.22.0 which is incompatible with Kubernetes v1.22.3